How Deep Discovery Protected Against The Korean MBR Wiper

21

Mar

2013

We have continued to look into the MBR-wiping attacks that hit Korea earlier. We believe we now have a good picture of how the attack was conducted, why it caused so much damage, and how we were able to protect users using the threat detection capabilities found in Deep Discovery.

On March 19, we saw the first indications of this attack when two Trend Micro customers both received a spam message that contained a malicious attachment. The message posed as a message from a bank. The attachment is actually a downloader, which downloaded files from several different URLs. One of these malicious files stole information such as login credentials.

It was at this stage that Deep Discovery was able to protect our customers by heuristically detecting the malicious attachment. This attachment was then run in a sandbox, which was used to generate a list of URLs that was used to block these attacks right away. The URLs found at this stage were then blocked. The combination of information provided by Deep Discovery and decisive actions by IT administrators was able to ensure our customers were protected in a timely manner. The screenshot below shows the appearance of the alerts:

We believe that among the login credentials stolen were those for certain central management server applications. These tools were used to push a dropper onto all systems on the local network, instantly spreading the malware throughout the entire organization.

The dropper has four components:

a bash script

a Master Boot Record (MBR) wiper

a PuTTY SSH client

a PuTTY SCP client

The most-well known component here is the MBR wiper. It uses the Latin words principes and hastati. to overwrite the contents of the MBR; the reasons for these references are unknown. It does not carry out this behavior before March 20.

The malware specifically looks for login credentials saved by two specific SSH clients: mRemote and SecureCRT. It uses any stored root credentials to log into remote Linux servers: for AIX, HP-UX, and Solaris servers it deletes the MBR. If it is unable to delete the MBR, it instead deletes various important folders.

The reader can instantly see how this attack was able to cause significant amounts of damage. It rendered both Windows and Linux systems unable to boot, and administrators would be unable to quickly repair any damage caused. In addition, as we mentioned in the previous post, cleanup can be time-consuming.

This highlights the importance of a proper custom defense solution in finding threats to act upon. Deep Discovery was able to identify and provide information that proved useful to IT administrators to help protect users.